Hancock Fabrics Hackers Switch Stores' PIN Pads

Targeting point-of-sale devices with malicious software is standard practice, as the wave of retail hackings over the last few years have shown. But targeting them with malicious hardware -- that requires another level of brazenness altogether.

According to a letter that retailer Hancock Fabrics sent out to its customers last week, the swipe and type PIN pad gadgets used in debit and credit card transactions in several of its Wisconsin stores were actually stolen and replaced with "visually identical, but fraudulent, PIN pad units."

Hancock Fabric didn't reveal the number of victims affected by the scheme, and hasn't responded to our request for more information. And this is nothing new, apparently. Wendy's, for instance, suffered from a similar pad-switching breach as early as 2007.

But when we spotted this in the Identity Theft Resource Center's breach report, we were impressed nonetheless: Imagine the criminal guts required to walk into a retail store, steal the PIN pad next to a register, and plant your own, malicious look-a-like under the nose of one of your victims' employees.

While this seems to sometimes take place after hackers break into a closed store, the setup also occurs in broad daylight, as in the footage that local media in Saanich, British Columbia got their hands on after a similar scam in a Vancouver Fairway. Watch the switch at around 1 minute 17 seconds here:

This PIN-pad scheme is in some ways just a variation on fairly common ATM skimming hardware techniques, which attach to the machines and invisibly siphon off credit card data. Blogger Brian Krebs recently assembled some fascinating photos of ATM skimming gadgets. But ATM machines are often outdoors or in the corner of a mall, not in prime view of the cybercriminal's target.

In other words, the PIN-pad switch seems to require an extra dose of hacker chutzpah.